How is SASL password delegation handled with LDAP users?

Hi there!

I ran into a problem today with my own NextCloud account that I wasn’t able to fix, yet.

We run a NextCloud instance version 22.2.8 where users are pulled in via the LDAP integration app from our local LDAP.
The local LDAP syncs itself with our global LDAP but also has some users only created locally since they are only using local services.

When looking at the LDAP config of the local LDAP using ldapvi, the locally created users have the prefix {SSHA} in front of their hashed password in the password field, while the users pulled from the global LDAP have {SASL} and then their global account login name.

I now ran into the following problem:
My own account got synced from the global LDAP to the local LDAP and from there to NextCloud. The password in the local LDAP shows {SASL}MyLoginName. I assumed that this passes my GLOBAL login name and password along to the LOCAL LDAP and to NextCloud, so I would be able to login to all services via my global credentials. I CAN login to all services connected to the local LDAP via these credential, but NOT into NextCloud. When I try to login to NextCloud with my global password, it just says “wrong user name or password”.

One thing that might be important: My automatically assigned user name on NextCloud differs from my global login name, because a user with the same name was already present in NextCloud when my credentials got synced. My NextCloud user name therefore has a dash and a number attached. Could this be problematic when trying to authenticate me? Does NextCloud pass the authentication along to the local LDAP or the global one via SASL? Or does NextCloud just retrieve the user password at the time of initial sync with the local LDAP and then stores the hashed password it got via SASL in its own database?

Thanks a lot in advance fpr any help!